Fix bug where implicit ports weren't used to match passthrough options

pimterry · pimterry · commit 6b71e8b1ba46 · 2023-07-11T16:58:17.000+02:00
Specifically ignoreHostCertificateErrors and clientCertificateHostMap,
which match against both hostname and hostname:port keys. In practice,
this meant that matching against example.com:443 did not match HTTPS
to that hostname, for example, because the 443 is implicit in the URL.
diff --git a/src/rules/passthrough-handling.ts b/src/rules/passthrough-handling.ts
@@ -257,7 +257,7 @@ export function getContentLengthAfterModification(
 // based on the given config
 export function shouldUseStrictHttps(
     hostname: string,
-    port: string,
+    port: number,
     ignoreHostHttpsErrors: string[] | boolean
 ) {
     let skipHttpsErrors = false;
diff --git a/src/rules/requests/request-handlers.ts b/src/rules/requests/request-handlers.ts
@@ -639,10 +639,18 @@ export class PassThroughHandler extends PassThroughHandlerDefinition {
             rawHeaders = objectHeadersToRaw(headers);
         }
 
-        const strictHttpsChecks = shouldUseStrictHttps(hostname!, port!, this. ignoreHostHttpsErrors);
+        const effectivePort = !!port
+            ? parseInt(port, 10)
+            : (protocol === 'https:' ? 443 : 80);
+
+        const strictHttpsChecks = shouldUseStrictHttps(
+            hostname!,
+            effectivePort!,
+            this.ignoreHostHttpsErrors
+        );
 
         // Use a client cert if it's listed for the host+port or whole hostname
-        const hostWithPort = `${hostname}:${port}`;
+        const hostWithPort = `${hostname}:${effectivePort}`;
         const clientCert = this.clientCertificateHostMap[hostWithPort] ||
             this.clientCertificateHostMap[hostname!] ||
             {};
@@ -656,10 +664,6 @@ export class PassThroughHandler extends PassThroughHandlerDefinition {
         // and we can't use ALPN to detect HTTP/2 support cleanly.
         let shouldTryH2Upstream = isH2Downstream && protocol === 'https:';
 
-        const effectivePort = !!port
-            ? parseInt(port, 10)
-            : (protocol === 'https:' ? 443 : 80);
-
         let family: undefined | 4 | 6;
         if (hostname === 'localhost') {
             // Annoying special case: some localhost servers listen only on either ipv4 or ipv6.
diff --git a/src/rules/websockets/websocket-handlers.ts b/src/rules/websockets/websocket-handlers.ts
@@ -292,9 +292,14 @@ export class PassThroughWebSocketHandler extends PassThroughWebSocketHandlerDefi
         head: Buffer
     ) {
         const parsedUrl = url.parse(wsUrl);
+
+        const effectivePort = !!parsedUrl.port
+            ? parseInt(parsedUrl.port, 10)
+            : parsedUrl.protocol == 'wss:' ? 443 : 80;
+
         const checkServerCertificate = shouldUseStrictHttps(
             parsedUrl.hostname!,
-            parsedUrl.port!,
+            effectivePort,
             this.ignoreHostHttpsErrors
         );
 
@@ -303,10 +308,6 @@ export class PassThroughWebSocketHandler extends PassThroughWebSocketHandlerDefi
             ? { ca: trustedCerts }
             : {};
 
-        const effectivePort = !!parsedUrl.port
-            ? parseInt(parsedUrl.port, 10)
-            : parsedUrl.protocol == 'wss:' ? 443 : 80;
-
         const proxySettingSource = assertParamDereferenced(this.proxyConfig) as ProxySettingSource;
 
         const agent = await getAgent({
